Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redact single-part login credentials from URLs. #6891

Closed
chrahunt opened this issue Aug 18, 2019 · 2 comments · Fixed by #6921
Closed

Redact single-part login credentials from URLs. #6891

chrahunt opened this issue Aug 18, 2019 · 2 comments · Fixed by #6921
Labels
auto-locked Outdated issues that have been locked by automation good first issue A good item for first time contributors to work on type: enhancement Improvements to functionality type: security Has potential security implications

Comments

@chrahunt
Copy link
Member

chrahunt commented Aug 18, 2019
edited
Loading

What's the problem this feature will solve?

Currently pip._internals.utils.misc.redact_password_from_url does the following:

  1. input: http://hello:[email protected]/bar; output: http://hello:****@foo.com/bar
  2. input: http://[email protected]/bar; output: http://[email protected]/bar

This can be bad and still leak credentials for index servers that use a single API token for login, for example:

  1. input: https://[email protected]; output: https://[email protected]

Describe the solution you'd like

When the auth portion of a URL consists of a single element, we should be redacting it.

This should require renaming pip._internal.utils.misc.redact_password_from_url to redact_auth_from_url and updating the behavior so that if only a username is present, then it will be redacted.

Some tests that will also need to be updated:

  1. tests.unit.test_utils.test_redact_netloc
  2. tests.unit.test_utils.test_redact_password_from_url

Alternative Solutions

  1. Do nothing

Additional context

This was mentioned as an issue on PR #6890.

For an example of when this single-part login is used, see #6796.

This issue is a good starting point for anyone who wants to help out with pip's development -- it's simple and the process of fixing this should be a good introduction to pip's development workflow.
@triage-new-issues triage-new-issues bot added the S: needs triage Issues/PRs that need to be triaged label Aug 18, 2019
@chrahunt chrahunt added type: enhancement Improvements to functionality type: security Has potential security implications labels Aug 18, 2019
@triage-new-issues triage-new-issues bot removed the S: needs triage Issues/PRs that need to be triaged label Aug 18, 2019
@chrahunt chrahunt mentioned this issue Aug 18, 2019
Merged
@cjerdonek
Copy link
Member

@chrahunt Were you going to mark this "good first issue" with instructions?

@chrahunt chrahunt added the good first issue A good item for first time contributors to work on label Aug 25, 2019
@chrahunt
Copy link
Member Author

chrahunt commented Aug 25, 2019
edited
Loading

Yes, thanks for the reminder! I have updated the issue description.

@atugushev atugushev mentioned this issue Aug 25, 2019
Merged
@lock lock bot added the auto-locked Outdated issues that have been locked by automation label Sep 25, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Sep 25, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
auto-locked Outdated issues that have been locked by automation good first issue A good item for first time contributors to work on type: enhancement Improvements to functionality type: security Has potential security implications
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Redact single-part login credentials from URLs atugushev/pip
2 participants
@cjerdonek @chrahunt